Secondary Categories: 02 - Information Gathering Links: Checklist Search Tag:📕
Local System Enumeration
Windows
Before downloading and running any tools perform the following items
- Check for EDR/AV tooling
- Checking is Local Admin on System
- Check for any proxy settings or tools being used on the system
- Check Start Up Process
- Connect to domain
- Check running process with
psor Task Manager - Check for users currently logged on to the system with
net logons
Screen Shot
Many of the the C2 frameworks have built in screen shot functionality for example in Cobalt Strike you can use one of the following built in commands:
printscreen Take a single screenshot via PrintScr method
screenshot Take a single screenshot
screenwatch Take periodic screenshots of desktop
NOTICE: This is typically an opsec safe thing to do if you dont have direct access to the system and can really help the operator before planning the next move.
Keylogger
This is a bit risky many of the keyloggers are easily caught by EDR/AV, but if you want to go ahead then Cobalt Strike has a keylogger command to read keystrokes.
The keylogger can be killed using the jobs command.
Clipboard
This is another opsec safe method to check for passwords that maybe on the logged on users clipboard. Cobalt Strike has a clipboard command that can be used to read all the data in the clipboard
Open Source Tools
Once you have gone through the main list above you can use tools such as:
If you are using a C2 framework such as Sliver or Cobalt Strike you can use the execute-assembly functionality. Example output:
beacon> execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe -group=system
====== AntiVirus ======
Engine : Windows Defender
ProductEXE : windowsdefender://
ReportingEXE : %ProgramFiles%\Windows Defender\MsMpeng.exe
====== AppLocker ======
[*] Applocker is not running because the AppIDSvc is not running
====== DotNet ======
Installed CLR Versions
4.0.30319
Installed .NET Versions
4.8.04084
Anti-Malware Scan Interface (AMSI)
OS supports AMSI : True
.NET version support AMSI : True
[!] The highest .NET version is enrolled in AMSI!
====== InternetSettings ======
HKCU ProxyEnable : 1
HKCU ProxyOverride : *.cyberbotic.io;<local>
HKCU ProxyServer : squid.dev.cyberbotic.io:3128
====== LAPS ======
LAPS Enabled : False
====== OSInfo ======
Hostname : wkstn-2
Domain Name : dev.cyberbotic.io
Username : DEV\bfarmer
Build : 19044.1889
BuildBranch : vb_release
CurrentMajorVersionNumber : 10
CurrentVersion : 6.3
Architecture : AMD64
IsLocalAdmin : True
[*] In medium integrity but user is a local administrator - UAC can be bypassed.
TimeZone : Coordinated Universal Time
====== PowerShell ======
Installed CLR Versions
4.0.30319
Installed PowerShell Versions
2.0
[!] Version 2.0.50727 of the CLR is not installed - PowerShell v2.0 won't be able to run.
5.1.19041.1
====== UAC ======
ConsentPromptBehaviorAdmin : 5 - PromptForNonWindowsBinaries
EnableLUA (Is UAC enabled?) : 1Linux
Resources:
| Title | URL |
|---|---|
| Seatbelt | https://github.com/GhostPack/Seatbelt |
Created Date: November 6th 2022 15:43
Last Modified Date: November 6th 2022 15:43